ext4: CVE-2018-1092

ext4: fail ext4_iget for root directory if unallocated

References:
https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44

Change-Id: If2dd6fd5735e5e0e3282342dec93342f6b2c0943
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 51 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 3fa8213..4b6ec00 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -11,3 +11,6 @@ patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
 
 #CVEs fixed in 4.9.92:
 patch CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
+
+#CVEs fixed in 4.9.96:
+patch CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
diff --git a/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
new file mode 100644
index 0000000..5d1d8dc
--- /dev/null
+++ b/patches/cve/CVE-2018-1092-ext4-fail-ext4_iget-for-root-directory-if-unallocate.patch
@@ -0,0 +1,48 @@
+From 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 21:56:09 -0400
+Subject: [PATCH] ext4: fail ext4_iget for root directory if unallocated
+
+If the root directory has an i_links_count of zero, then when the file
+system is mounted, then when ext4_fill_super() notices the problem and
+tries to call iput() the root directory in the error return path,
+ext4_evict_inode() will try to free the inode on disk, before all of
+the file system structures are set up, and this will result in an OOPS
+caused by a NULL pointer dereference.
+
+This issue has been assigned CVE-2018-1092.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199179
+https://bugzilla.redhat.com/show_bug.cgi?id=1560777
+
+CVE: CVE-2018-1092   
+Upstream-Status: Backport
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/ext4/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 4359655..18aa2ef 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4732,6 +4732,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
+                goto bad_inode;
+        raw_inode = ext4_raw_inode(&iloc);
+ 
++       if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
++               EXT4_ERROR_INODE(inode, "root inode unallocated");
++               ret = -EFSCORRUPTED;
++               goto bad_inode;
++       }
++
+        if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
+                ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
+                if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
+-- 
+
+